Currently, Microsoft Office 365 customers who utilize single sign-on (SSO) through AD FS 2.0 and have multiple top level domains for users' user principal name (UPN) suffixes within their organization (for example, @contoso.com or @fabrikam.com) are required to deploy a separate instance of AD FS 2.0 Federation Service for each suffix.  There is now a rollup for AD FS 2.0 (http://support.microsoft.com/kb/2607496) that works in conjunction with the “SupportMultipleDomain” switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. 

 

Support for Sub domains

It is important to note that the “SupportMultipleDomain” switch is not required when you have a single top level domain and multiple sub domains.  For example if the domains used for upn suffixes are @sales.contoso.com, @marketing.contoso.com and @contoso.com and the top level domain (contoso.com in this case) was added first and federated then you don’t need to use the “SupportMultipleDomain” switch.  This is because these sub domains are effectively managed within the scope of the parent and a single AD FS server can be utilized to handle this already.
If however, you have multiple top level domains (@contoso.com and @fabrikam.com) and these domains also have sub domains (@sales.contoso.com and @sales.fabrikam.com) the “SupportMultipleDomain” switch will not work for the sub domains and these users will not be able to login.  We are working on a solution for this problem and will post this as soon as it is ready until then we can't support this solution.

What if I already have multiple AD FS Servers or need to add more supported domains?

If you currently have an AD FS 2.0 server that is configured to support a single domain or you have multiple AD FS 2.0 servers, one for each federated top level and want to move to a single server or add more domains to an existing server the following procedure will help you with that process. 
NOTE:  During this process customers will be unable to authenticate for a few minutes while the trust is being recreated.

  1. Select the primary server of the AD FS Farm you want to keep (if you have more than one or the current server
  2. Ensure you have the Microsoft Online Services Module for Windows PowerShell installed and working correctly (see http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx for more details).  This is very important to minimize the downtime impact.
  3. Ensure you are able to update the current trust (Update-MsolFederatedDomain -DomainName <domainname>) using the following “Update trust properties” in the following article http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652538.aspxAgain make sure that you can do this, if you can’t you should fix this before you move forward.
  4. After and only after ensuring you can update the trust perform the following on the AD FS Primary server, once you complete this step users won’t be able to logon (if you have multiple servers this will only affect the users for this one server):
    • Open the “AD FS 2.0 Management Console”
    • Navigate to the Relying Parties node (Trust Relationships |Relying Party Trusts)
    • Delete the Relying party “Microsoft Office 365 Identity Platform” or “Microsoft Online Trust”
  5. Re run step 3 to update the trust again making sure to include the “-SupportMultipleDomain” this time.  This will recreate the trust for you and set it such that you can add additional top level domains to the server.  At the end of the step users will be able to logon again.
  6. Refresh the view in the “AD FS 2.0 Management Console” to ensure the trust has been recreated.
  7. Run Get-MSOLFederationProperty -DomainName <domain> -SupportMulitpleDomain to confirm the settings are correct on both AD FS 2.0 and the Cloud.

If you have more top level domains on other servers then run Update-MsolFederatedDomain -DomainName <domain> -SupportMulitpleDomain on the server above, once you have confirmed the update you can decommission the other servers.  If you are simply adding more top level domains then use the standard procedures to add a new domain or convert an existing domain, remembering to use the -SupportMulitpleDomain as you add or convert the domains.